Configuring Security Attributes - WorkView - Foundation 24.1 - Foundation 24.1 - Ready - OnBase - Premier - external - Premier

WorkView
Platform
OnBase
Product
WorkView
Release
Foundation 24.1
License
Premier

Security attributes can restrict user rights at a more granular level. Security attributes are used to limit the objects returned using filters based on specific attribute values and allows user rights to be defined on a per object basis. Configuring security attributes is a two step process. Security attributes are configured application level. First, you must create security attributes for each class requiring security. Second, you must assign security attribute values and access rights to specific user groups.

When you configure security attributes by application, you are only able to configure security attributes for one application at a time. To configure security attributes for an application.

  1. In the Repositories pane, right-click on the application you want to configure security attributes for and select Security Attributes | Maintenance. The <Name of Application> : Security Attributes dialog box is displayed.
    Note:

    The Use Identity configuration is optional. See Using Application-Defined Identity to Determine Rights for more information.

  2. Click Add. The Add Title dialog box is displayed.
  3. Enter a Name.
  4. Click OK.
  5. In the Class tab, click Add. The Class Security Attribute dialog box is displayed.
  6. Select the Class you want to associate with the security attribute configuration from the drop-down list.
    Note:

    When an association class is used as part of the user's identity or to define security for a class, if an association object exists that is related to an object that no longer exists in the system, that association object will be ignored.

    An example of this follows: imagine you have a User class mapped as the Identity. Then a Region Class exists as well as a UserXRegion that associates users to regions (e.g. East, West, South, North). If a User is associated with the North region and then at some point in the future, the North region object is deleted, but the association with the User and the North region still exists, when resolving Security, that Region would be ignored.

    This example is the most prevalent when using external classes (e.g. the Region class is an external class and North is no longer part of the external data set).

  7. Click the ellipsis button. The Attribute dialog box is displayed.
  8. Select the attribute you want to configure as a security attribute and click OK.
  9. Select the User Groups tab.
  10. Select the User Group for which you want to configure a security attribute value from the drop-down list.
  11. In the User Groups tab, click Add. The Add Value dialog box continues.
  12. Enter the value that should determine the user group access rights in the Value field. Once a security attribute is configured for a specific user group, only those users who belong to the user group will have rights to see the attribute within the WorkView interface. For example, you can allow the Tech Support user group rights to see objects that have the Department attribute value equal to Technical Support and nothing else.
    Note:

    Value comparison is case insensitive.

  13. If you want the selected user group to be excluded from rights to an object when the value is met, select the Exclude option. When this option is selected, any privileges selected for the user will be denied.
  14. Select the privileges you want to grant to the user or, if the Exclude check box is selected, exclude from the user when this value is present on an object. You can grant rights to View, Modify, View History, Create, or Delete for objects.
    Note:

    Security attribute rights will not grant additional rights to what was granted at the class level for a user. Security attributes can be used to be more restrictive than the granted class rights.

  15. Click OK.
  16. Configure all of the appropriate values for all the appropriate user groups.
    Note:

    You can define multiple values for multiple users if needed.

    Note:

    If a user belongs to more than one user group, the least restrictive settings will be respected.

    Tip:

    You can use ~User or ~U to specify that you want the security attribute to be tested against the username of the user currently logged in. You can use the asterisk character (*) to specify that you want to match any value that is not specified as a specific value. These values will adhere to the same security setting. For example, if you want to allow users rights to View every object that is not connected to their login names, but you want to allow View, Create, and Modify rights for those objects connected to their login names, you would create a security attribute value equal to ~User allowing View, Create, and Modify rights. You would then create a security attribute value equal to *, giving the View right.